CVE-2024-38016

Improper Access Control (CWE-284)

Published: Sep 19, 2024 / Updated: 2mo ago

010
CVSS 7.8EPSS 0.05%High
CVE info copied to clipboard

Summary

Microsoft Office Visio Remote Code Execution Vulnerability. This vulnerability is associated with improper access control (CWE-284) in Microsoft Office Visio. It has a CVSS v3.1 base score of 7.8, indicating a high severity. The vulnerability requires user interaction and can be exploited locally with low attack complexity. No privileges are required for exploitation.

Impact

If successfully exploited, this vulnerability could allow an attacker to execute arbitrary code with the same privileges as the victim user. The potential impacts are high for confidentiality, integrity, and availability. This means an attacker could potentially view, change, or delete data, install programs, or create new accounts with full user rights.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. Microsoft has released an official fix for this vulnerability.

Mitigation

1. Apply the latest security updates provided by Microsoft for affected versions of Microsoft Office Visio. 2. Implement the principle of least privilege, ensuring users operate with minimal necessary permissions. 3. Educate users about the risks of opening untrusted files or clicking on suspicious links, as user interaction is required for exploitation. 4. Consider implementing application whitelisting to prevent unauthorized code execution. 5. Regularly monitor and audit system activities to detect any potential exploitation attempts.

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Timeline

First Article

Feedly found the first article mentioning CVE-2024-38016. See article

Sep 19, 2024 at 5:10 PM / MSRC Security Update Guide
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Sep 19, 2024 at 5:12 PM
CVE Assignment

NVD published the first details for CVE-2024-38016

Sep 19, 2024 at 5:15 PM
CVSS

A CVSS base score of 7.8 has been assigned.

Sep 19, 2024 at 5:20 PM / nvd
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Sep 19, 2024 at 5:30 PM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (110477)

Sep 20, 2024 at 7:16 AM
EPSS

EPSS Score was set to: 0.05% (Percentile: 22.3%)

Sep 20, 2024 at 12:38 PM
EPSS

EPSS Score was set to: 0.05% (Percentile: 20.9%)

Nov 19, 2024 at 2:35 PM
Static CVE Timeline Graph

Affected Systems

Microsoft/365_apps
+null more

Patches

Microsoft
+null more

Links to Mitre Att&cks

T1546.004:
+null more

Attack Patterns

CAPEC-19: Embedding Scripts within Scripts
+null more

References

CVE-2024-38016 - Security Update Guide - Microsoft - Microsoft Office Visio Remote Code Execution Vulnerability
According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. For example, when the score indicates that the Attack Vector is Local and User Interaction is Required , this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer.
Microsoft Office Visio Remote Code Execution Vulnerability
Why does the CVE title indicate that this is a remote code execution? According to the CVSS metric, the attack vector is local (AV:L).
CVE-2024-38016 Microsoft Office Visio Remote Code Execution Vulnerability
Information published.

News

CVE-2024-38016 Microsoft Office Visio Remote Code Execution Vulnerability
A haunting Patch Tuesday for October: 117 updates (and 5 zero-day flaws)
Though there are patches affecting Windows, SQL Server, Microsoft Excel and Visual Studio, only the Windows updates require a “Patch Now” schedule — and they’ll need a significant amount of testing because they cover a lot of features: networking, kernel and core GDI components and Microsoft Hyper-V. Printing should be a core focus for enterprise testing and the SQL Server updates will require a focus on internally developed applications.
Security Bulletin 25 Sep 2024 - Cyber Security Agency of Singapore
CVE-2024-9014, pgAdmin versions 8.11 and earlier are vulnerable to a security flaw in OAuth2 authentication. This vulnerability allows an attacker to ...
CVEs have been published or revised in the Security Update Guide Sept 19 - DSLReports
These common vulnerabilities and exposures (CVEs) were recently published or revised in the Microsoft Security Update Guide: • Title: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
Replied to: Microsoft Security Response Center (MSRC) security advisory: CVE-2024-38016 CVE-2024-38016 (7.8 high) Microsoft Office Visio Remote Code Execution Vulnerability Weird CVE drop outside of a Patch Tuesday when this is not exploited, not publicly disclosed, exploitation less likely. #CVE #Microsoft #CVE_2024_38016 #vulnerability #MSRC
Microsoft Security Response Center (MSRC) security advisory: CVE-2024-38016 CVE-2024-38016 (7.8 high) Microsoft Office Visio Remote Code Execution Vulnerability Weird CVE drop outside of a Patch Tuesday when this is not exploited, not publicly disclosed, exploitation less likely. # CVE # Microsoft # CVE_2024_38016 # vulnerability # MSRC Additional Microsoft security advisories: CVE-2024-38221 (4.3 medium) Microsoft Edge (Chromium-based) Spoofing Vulnerability CVE-2024-43489 (6.5 medium) Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability CVE-2024-43496 (6.5 medium) Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability Not exploited, not publicly disclosed, exploitation less likely. MSRC also patched against the six CVEs (8904-8909) from Google Chrome's Patch Tuesday blog post . # Microsoft # Edge # Chromium # chrome # vulnerability # CVE - Not Simon 🐐 (screaminggoat) September 19, 2024
See 14 more articles and social media posts

CVSS V3.1

Attack Vector:Local
Attack Complexity:Low
Privileges Required:None
User Interaction:Required
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI